Information Security

Lecture 5
Asset Security
Osamah Ahmad
osamah.ahmed@riphah.edu.pk

1
 1) Security and Risk Management
2) Asset Security
3) Security Engineering
4) Communication and Network
Domain 2: Security
Asset Security 5) Identity and Access
Management
6) Security Assessment and Testing
7) Security Operations
8) Software Development Security

2
Asset Types

• Assets may be tangible (computers, facilities,

supplies)
• or intangible (reputation, data, intellectual
property).
Resource Protection

• Resource Protection may deal with:

• Facility
• Hardware
• Software
• Documentation
• Human Resource
Resource Protection

• Facilities
• Water and sewage
• Electricity
• Fire alarms and fire suppression
• Environmental controls
• Communications
• Security controls
Resource Protection (cont.)

• Hardware
• Servers
• Workstations
• Network devices
• Wireless networks
• Printers, copiers
• Handheld devices
• Cabling
Resource Protection (cont.)

• Software
• Licensing
• Access control
• Source code (preventing disclosure)
• Intellectual property
• Business logic
• Security
• Source code control
• Software development lifecycle
Resource Protection (cont.)

• Documentation
• May contain trade secrets and sensitive
information
• Processes, procedures, and instructions
• Version control
• Access control
Common Damage Scenarios

• Software or data corruption

• Equipment malfunction
• Critical personnel become unavailable
• Utilities become unavailable (HVAC, power,
communications lines)
• Facility becomes unavailable
• Vendor and service providers become unavailable
Data Handling

• Security controls for handling the storage media

are:
• Marking
• Access Control
• Storage
• Destruction
• Retention
Handling

• Designated responsibilities in place

• Individuals should be properly and regularly trained
• Never assume that all members of the
organization are aware of security policy and
procedures
• Access logs should be maintained
• Manual
• Automated
Marking

• Storage media should have a physical label

identifying:
• the sensitivity of the information contained
• clearly indicate if the media is encrypted
• contain point of contact information
• retention period
• When media is found without a label
• should be immediately labeled at the highest
level of sensitivity
• until the appropriate analysis reveals otherwise
• Should have organization level media marking
policy
Storage Protection
• Defense-in-Depth
• Never rely on a single security control
• Always deploy multiple security controls for establishing
multiple defense lines
• Security controls include both physical as well as logical
controls
• Physical
• Facility level access control
• Room level access control
• Safe containers, Security cameras
• Logical
• System level access control
• Application level access control
• Data encryption
Backups

• Provide protection against loss due to malfunctions,

failures, mistakes, and disasters
• Make copies of data regularly.
• Automate the backup making process.
• Save backup copies on different mediums.
• Store backups at remote locations.
• 3-2-1 backup strategy
• 3 total copies of data
• 2 of them local on different medias
• 1 copy at remote site
Protection of Backup Media

• Backup media contains sensitive information

• Requires same level of security control as original
information
• Keep in locked cabinets
Offsite Storage of Backup Media

• Reduce risk of loss of backup media in the event of

a disaster that destroys data center
• Fire, flood, sabotage
• Factors affecting offsite backup
• Distance from business location
• Security of backup data transportation
• Security of remote storage center
• Resilience of remote storage center against similar
disasters
Backup Strategies

•Full Backup
• All data are backed up and saved to some type of
storage media.
•Incremental Backup
• Differential Backup
• Backs up the files that have been modified since
the last full backup.
Off-Site Data Replication

• Sending critical data out of the main site as part of

the disaster recovery plan
• Two strategies exist for this purpose:
• Using removable storage
• Magnetic Taps, Optical Disks, Hard Disks
• Via remote backup service
• Online backup, Cloud storage, Electronic Vaults
• Which of these two strategies is better?
• Depends on circumstances
• E.g. amount of data to be transferred
Offsite Facility Options

• Cold Site
• Basic structure/utilities available. Computing
infrastructure may be available but not operational
• Warm Site
• Partially configured
• Hot Site
• Almost like primary site. Near-to-complete backup.
Expensive to maintain.
• Reciprocal Agreement
• Company A agrees to allow company B to use its facilities
if company B is hit by a disaster
• Tertiary Site
• Backup of Backup
Disaster Recovery Tiers

•IBM backed disaster recovery tiers required

to support business continuity:
• Tier 0: No off-site data – Possibly no recovery
• Tier 1: Data backup with no hot site
• Tier 2: Data backup with a hot site
• Tier 3: Electronic vaulting
• Tier ..: … …

[reference]: https://en.wikipedia.org/wiki/Seven_tiers_of_disaster_recovery
Data Restoration

•Periodic testing to ensure that data,

that is backed up, can be restored
• On same computer/system
• On different computer/system
•Provable evidence that backups are being
performed properly
• Unreadable/unrecoverable backup is a major
issue
Time to Restore Business Operations
Summary of Recovery Domains
• Facility
• Cold, warm, hot, reciprocal sites
• Infrastructure
• fault tolerance, load balancing
• Storage
• RAID, Storage Area Network (SAN), mirroring, disk
shadowing, cloud storage
• Server
• Clustering, cloud computing
• Backups
• Tapes, online replication
• Business processes
• People
Data Destruction

• Purpose: ensure that discarded information is truly

destroyed
• Once information has reached the end
of its need, its destruction needs
to be carried out
• In a manner that is proportional to its sensitivity
Data Remanence

• Residual physical representation of information that

was erased in some way.
• This residue may result from:
• data left by a nominal file deletion operation,
• reformatting of storage media that does not remove data
previously written to the media,
• physical properties of the storage media that allow
previously written data to be recovered.
• Undo, autosave, autobackup, performance
Data Remanence Countermeasures

• Clearing: means erasing information so it is not readily

retrieved using recovery software.
• Purging/Sanitization: means making information
unrecoverable even with extraordinary effort such as
physical forensics in a laboratory.
• Destruction: media is made unusable for further use by
breaking, liquefaction, vaporization, or chemical alteration
• Overwriting/Zeroization: Overwriting to ensure that the
data on the media are not practically recoverable.
• Degaussing: Magnetic scrambling of the patterns on a tape
or magnetic disk.
Standard Guidelines

•NIST-SP 800-88 R1, Guidelines for Media

Sanitization, December 2014
•Asset Disposal and Information Security
Alliance (ADISA)
• Founded in 2010
• Recommends standards for safely disposing IT
assets
• Include annual forensic audits of hard disks
Data Retention

•Policies that specify how long different types

of data must be retained (minimums and
maximums)
•Manage risks related to business records
• Risk of compromise of sensitive information
• Risk of loss of important information
• Regulation
Increasing Need for Privacy Laws

•Due to the following factors, there is an

increasing need to enforce the privacy laws
• Business globalization
• Private data flows from country to country for many different
reasons.
• Advancement in Data collection and retrieval
technologies
• Large data warehouses are being created.
• Advancement in Data analytic techniques
• Mining and distributing sensitive information.
Personally Identifiable Information (PII)
• Data that can be used to uniquely identify, contact,
or locate a person.
• It can be used in identity theft, financial crimes, and
various criminal activities.
• Full name, National Identification Number
• Vehicle Registration Number, Driver’s License Number
• Face, fingerprints, handwriting
• Credit card numbers, Digital identity, IP address
• Birthday, Birthplace, Genetic information
• May also include:
• Country, state, city of residence
• Age, Gender, Race, Criminal Record
• Name of the school or workplace
• Grades, salary, or job position
Privacy

May 04, 2018

OECD Guidelines on Protection of Privacy

•Organisation for Economic Co-operation and

Development (OECD)
• Founded in 1961
• 35 member states

•Guidelines Governing the Protection of

Privacy and Trans-border Flows of Personal
Data
• 2013
Core Principles defined by OECD
1. Collection of personal data should be limited,
obtained by lawful and fair means, and with the
knowledge of the subject.
2. Personal data should be kept complete and
current, and be relevant to the purposes for
which it is being used.
3. Subjects should be notified of the reason for the
collection of their personal information at the
time it is collected.
4. Only with the consent of the subject or by the
authority of law should personal data be
disclosed, made available, or used for purposes
other than those previously stated.
Core Principles defined by OECD

5. Reasonable safeguards should be put in place to

protect personal data against risks such as loss,
unauthorized access, modification, and
disclosure.
6. Developments, practices, and policies regarding
personal data should be openly communicated.
7. Subjects should be able to find out whether an
organization has their personal information and
what that information is.
8. Organizations should be accountable for
complying with measures that support the
previous principles.
Intellectual Property (IP) [4]

•Patent
• Protects the idea. Promote the innovation.
•Copyrights
• Protects the expression of the idea. Art work.
•Trademark
• Word or symbol designating the source of some
entity
•Trade Secrets
• Protection of something that provides the
competitive advantage
Internal Protection of IP

•Resources protected by laws should have the

necessary level of protection.
• Resource should be stored on a protected system
with necessary security mechanisms
• Attempts to access and manipulate the resource
should be properly audited
•If a company fails in applying internal
protection, it may not be able to be covered
by the laws,
• because it may have failed to practice due care
and properly protect the resource that it claims
to be important.
Lawsuits by Non Practicing Entities (NPE)
Lawsuits by Non Practicing Entities (NPE)

[Source]: http://www.ipwatchdog.com/2016/01/05/npe-patent-litigation-increased-2015/id=64724/, 2017-10-

16
Software Piracy Rates by Region
Top 30 Piracy Rates
Commercial Value of
Pirated Software
Commercial Value of Pirated Software

[Source]: http://globalstudy.bsa.org/2016/countries.html
 Q&A
14/11/2021 Hasnat Ali 45